Drucken Drucken
Textgröße Schriftbild vergrößernSchriftbild verkleinernSchriftbild zurücksetzen

Updates & Deadlines

Recent News

January 5, 2011
PCI Security Standards Council Enters Next Phase of Data Security Development

October 28, 2010
PCI Security Standards Council Releases PCI DSS 2.0 and PA-DSS 2.0

Lifecycle Process for Changes to the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) secures cardholder data that is stored, processed or transmitted by merchants and other organizations. The standard is managed by the PCI Security Standards Council (PCI SSC) and its founders, the global payment brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Input for proposed changes to the standard is also made by PCI SSC stakeholders: Participating Organizations, including merchants, banks, processors, hardware and software developers, point-of-sale vendors and the assessment (QSA and ASV) community.

Changes to the PCI DSS follow a defined 24-month lifecycle with five stages, described below. The lifecycle ensures a gradual, phased use of new versions of the standard without invalidating current implementations of the PCI DSS or putting any organization out of compliance the moment changes are published. With the release of PCI DSS version 1.2 on October 1, 2008, the Council became committed to following this process to ensure transparency and continuity of compliance. The Council will publish similar lifecycles for the Payment Application Data Security Standard (PA-DSS) and the PIN Entry Device (PED) Security Requirements.

Stage 1: Market Implementation

The first nine-month period after release of the latest PCI DSS allows for market assessment and implementation. There is no formal feedback mechanism for proposed changes during Stage 1. Instead, this period allows merchants and other organizations time to plan and address standard-mandated changes, including lead times for sunset and expiration dates. The Council may accept and review comments received during Stage 1 to ensure that there are no errors requiring errata statements of clarification. During this stage, the Council will also ensure that supporting documentation is updated and available in multiple languages.

Stage 2: Feedback Begins

The second stage allows for global market input into evolution of the PCI DSS through a formal feedback process. Participating Organizations and stakeholders will have the opportunity to formally express their views on the current version and provide suggestions for changes and improvements – especially in light of evolving technology and threats affecting cardholder data. The Council will clearly inform all stakeholders how to submit feedback during this stage. The feedback phase eventually culminates with the next Community Meeting, where feedback can be discussed in an open forum and compiled for systematic evaluation by the Council.

Stage 3: Feedback Review and Decision

During the eight-month third stage, the Council will compile feedback from many sources, including the Participating Organizations, assessment (QSA & ASV) community, Board of Advisors meetings, and community meetings. The Council’s PCI DSS Technical Working Group (TWG) will systematically analyze the feedback, which will result in one of these actions:

  • No action – if feedback does not warrant revising the standard
  • Issuance of a new version of the PCI DSS (e.g., version 2.0, etc.)
  • Issuance of revisions to the PCI DSS (e.g., version 1.3, etc.)
  • Development of new documentation to support the current version (e.g., white papers, best practices, additional FAQs, informational supplements, etc.)

Taking no action terminates the lifecycle process at this point. Other actions will be communicated to stakeholders via various channels, such as email, newsletters, press releases, conference calls and webinars.

If a revision or new version is required, the TWG will create a preliminary draft and present it for review and approval by the Board of Advisors and the Council’s Executive Committee. The Council will clearly communicate all significant changes and/or sunset dates of current practices, along with timeframes for implementing newly specified best practices and/or requirements. This includes supporting documentation to ensure a smooth transition for compliance.

Stage 4: New Version/Revision and Final Review

The fourth stage of the lifecycle allows the Council to finalize the new version or revision of the PCI DSS and prepare for its formal release. During this three-month process, the Council will provide a “summary of changes” document to the stakeholder community that includes clear, precise guidance on what to expect in the new standard. The Council will also announce the date of issuance, which will close out the lifecycle process.

The new PCI DSS and its requirements will become effective immediately upon its publication on the Council’s website.

Some new requirements may include phased implementation dates, which will provide merchants, other organizations and stakeholders with adequate time to implement required new systems or procedural changes. The Council will provide everyone with details well in advance, including phased implementation deadline dates, any subsequent sunset dates of current requirements or sub-requirements, or items affected by the revision update process. Sunset dates will usually be at least three months after publication of the updated standard. Once the sunset period passes, PCI DSS assessments will reflect requirements of the updated standard.

Stage 5: Discuss New Version/Revision

Discussion of the new or revised PCI DSS occurs at the next Community Meeting. During this event, stakeholders can obtain more clarification and education to assist in implementing the updated standard. Discussion will also benefit the assessment community by helping them clearly understand changes to the standard and how this affects assessments.

1: MONTHS 0-9

  • Communications, implementation and dissemination of release
  • Evaluate immediate feedback as needed

2: MONTHS 10-12

  • Open formal feedback process
  • Feedback compiled

3: MONTHS 13-20

  • Communicate compiled feedback
  • Discuss feedback from Community Meeting
  • Analyze trends and concern areas
  • Evaluate impact
  • Propose changes
  • Determine action plan
  • Create and issue preliminary draft to advisors for review (if appropriate)

4: MONTHS 21-24

  • Provide summary of changes to stakeholders
  • Provide new version or revision
  • Provide lead times for new requirements

5: MONTH 24

  • Revision or new version is effective immediately
  • Provide guidance for those in the middle of an assessment
  • Help organizations stay in compliance


Zurück nach oben

Der PCI Security Standards Council (der "Council") bietet verschiedene Funktionen, Fragebögen, Anleitungen, FAQs, Trainingshilfen und andere Materialien und Informationen, um Organisationen bei ihren Bemühungen zu unterstützen, die Standards zu erfüllen (die "Standards"). Fremdprodukte und -dienstleistungen sind ebenso verfügbar, der Council billigt oder empfiehlt jedoch derartige Fremdprodukte oder -dienstleistungen nicht und rät allen Organisationen aus Compliance-Gründen, sich mit den Standards und den entsprechenden Anforderungen vertraut zu machen, ehe Sie Fremdprodukte oder -dienstleistungen erwerben. Und dann müssen unabhängig davon, ob und welche Fremdprodukte verwendet werden, alle geltenden Anforderungen erfüllt sein, um Compliance zu erreichen.
Powered By OneLink